Endpoint Security Effectiveness How Organizations Protect Their Endpoints Against Ransomware and Malware RESEARCH REPORT

RESEARCH REPORT

Endpoint Security Effectiveness How organizations protect their endpoints against ransomware and malware RESEARCH REPORT

Endpoint tipping point

Hear us out: attacks either begin on an endpoint Illumio teamed up with Virtual Intelligence Briefing or are headed to one. (ViB), an interactive online community focused on emerging through rapid growth stage technologies. Why do we make this argument? As has been ViB’s community is comprised of more than 1.2M IT documented with nearly all ransomware, employees practitioners and decision makers who share their and end users are often the easiest way into an opinions by engaging in sophisticated surveys across enterprise, large or small, via phishing schemes or IT domains including information security. malspam. Getting just one user in an organization to open a malicious attachment on their endpoint can be This report sums up our findings, with insights into a weak link in your carefully executed security strategy. endpoint security efforts, detection adequacy, and the key gap that needs to be addressed. At that point, attackers have a foothold on a single laptop, establish persistence, and begin to move laterally – this is how a single infection becomes a What did we full-scale breach. learn, in a nutshell? Least privilege and Zero Trust approaches are global Organizations are indeed dealing with many of the best practices to contain threats. However, the Zero tactics, techniques, and procedures (TTPs) of today’s Trust discussion has centered on campus networks, sophisticated and varied ransomware attacks. clouds, and data centers – but not yet endpoints, the place where attacks begin. Most respondents have updated their endpoint security to include endpoint detection and response We wanted to get a sense for how organizations view (EDR) capabilities. the effectiveness of their endpoint security, given the disastrous results that can come from ransomware The majority of respondents admit that their endpoint and malware spreading in an enterprise (more on security does not stop everything, and that it needs this to come). some time to detect malicious files.

Once breached, there is limited means to contain malware that has gotten in.

2 RESEARCH REPORT

Who did we talk to?

We spoke to 461 IT and security professionals from a cross-section of mid- to large-sized companies, with 57% from companies with over 1,500 employees.

JOB ROLE

IT Infrastructure 35%

Networking 13%

Security 11%

Desktop/End-User Security/Technology 9%

Remote Working Technology 7%

CIO 4%

Compliance 3%

CISO 3%

COMPANY SIZE

14% 2,501-5,000 8% 1,501-2500

35% 21% 5000+ 501-1,500

22% 151-500

3 RESEARCH REPORT

Easy money The truth is these attacks were staggeringly effective and fast. It has been reported that a large bank in Ukraine Why do attacks keep targeting endpoints? saw its network locked up in (drumroll) 45 seconds with In two words: easy money. NotPetya. Maersk, a global logistics company, saw its global IT infrastructure crumble in 7 minutes.

How did they move so fast? They propagated peer-to- Ransomware and malware peer since there were no internal barriers or endpoint attacks are lucrative, the fallout segmentation to prevent lateral movement. You may is considerable, and attacks recall how WannaCry spread laterally: via SMB file shares on TCP ports 137, 139, 445. will continue to happen. Attacker-controlled, LotL: Attacker-controlled, living off the land (LotL) attacks don’t move as quickly as In 2017, the FBI estimated the total amount of ransomware with lateral movement built-in, but they ransomware payments approached $1 billion annually. are just as devastating due to long dwell time for New estimates suggest global ransomware damages will surveilling an environment. US municipalities have reach $20 billion by 2021 due to the profitable nature of reported a wave of attacks in recent years – many attacks, according to Cybersecurity Ventures. along these lines. In most cases like these, attackers case environments for weeks prior to the It turns out attackers are not religious about filing tax ransomware encryption. returns nor are companies eager to disclose a major attack – unless they have no alternative. This means These attacks gain a foothold via phishing or the total economic fallout is likely under-reported. This brute-forcing poorly configured services like may change as some ransomware attacks now lock up Remote Desktop Protocol (RDP) used for remote systems after exfiltrating sensitive data, forcing more access to Windows. Once inside, attacks are methodical, corporations into fighting public extortion battles attempting peer-to-peer lateral movement via open over payment. ports, for example exploiting RDP or WMI, to ideally reach a domain controller.

The attacks we must deal with Credential harvesting, a thorn in security’s collective side, is also used to move laterally. Tools like Mimikatz facilitate this, allowing for privilege escalation, so attackers have Ransomware is a volume business. It’s more lucrative greater levels of permission in the network. to ransom an entire fleet of laptops or a whole network segment than a single system. For this reason, malware Either way, attackers often reach domain and attackers use lateral movement as a key technique controllers, making them an IT admin in the to propagate across enterprise endpoints. Over the company they are attacking. past few years, we have seen different types of attacks evolve that include lateral movement, vastly increasing At this point they continue to ‘’live off the land” the scope of a breach beyond the first infected endpoint. leveraging existing IT administrative frameworks like Let’s look at a couple of common ones. PsExec, used to execute processes on other systems, or PowerShell, used to automate operating system Automated ransomware: This is ransomware designed to management tasks, to drop malicious files onto systems. move laterally on its own, once inside, and is sometimes Some attacks may apply double extortion, by exfiltrating referred to as a “ransomworm.” You should be familiar sensitive data before encrypting. Not only are systems with it, not just due to the headlines WannaCry and locked up, but the sensitive information can be leaked NotPetya generated, but also because of the patches and publicly unless victims pay up, amounting to additional warnings published by Microsoft and security vendors. pressure for organizations to pay ransoms.

4 RESEARCH REPORT

What attacks have (hopefully) been addressed?

What do these attacks have in common? Lateral What are people working on currently? Credential movement that sees attacks go from the first infected harvesting, with 41% of respondents noting that they system to as many as possible. Preventing this has now are actively addressing or planning to address it. become a key aspect of defense-in-depth. We asked Another 41% of respondents feel they have addressed survey respondents the types of attacks they have credential harvesting. accounted for in their security today, below. We hope that 41% have indeed been able to address Despite that global scare that WannaCry and NotPetya this, given how challenging it can be to guard against prompted (or perhaps we should say EternalBlue and and how often credential harvesting is used in DoublePulsar), 46% of respondents note they have yet to attacker TTPs. address self-propagating ransomware and malware.

60% say that they’ve taken care of malware moving from laptops to servers. That is serious stuff, so let’s hope they mean it.

CURRENT STATUS OF LATERAL MOVEMENT-BASED THREATS

Plan to address Working on it Have addressed No plan to address

Credential harvesting 11% 41% 41% 7% used to move internally

Using email systems to propogate internally after 9% 35% 51% 5% initial infection (a la Emotet)

Malware that self-propogates via P2P file sharing, like 8% 32% 54% 6% SMB (a la WannaCry)

Malware/ransomware that propogates from end-user devices (laptops) into our server estate 6% 31% 60% 2% (campus, data center, and cloud)

5 RESEARCH REPORT

Endpoint security’s tall order

Endpoint security has been given a tall order – being For this reason, NGAV and EDR were developed. entirely effective in stopping all the ransomware and These tools call on more sophisticated, cloud-delivered malware used in the attacks we just described, malware detection and deep device visibility to even never-before-seen threats. account for threats that may not be possible to detect on the initial scan. Once a file is let onto a system, EDR continues to closely monitor both the file and Headed in the system. EDR can detect malicious activity on endpoints right direction (kind of) consistent with malware or ransomware: changes to processes, DLLs and registry settings, file and network We’ve seen rapid development in the endpoint security activity, and so on. If this activity is detected, EDR space over the past decade with the rise of next- can retrospectively remove files or isolate systems. generation antivirus (NGAV) and endpoint detection and response (EDR) tools. This is imperative to keep What tools are most relied on today? EDR is the most pace with fileless attacks or polymorphic malware that common at 73%, but respondents also acknowledge they changes rapidly and is tested thoroughly by the bad have antivirus capabilities to block all known malicious guys prior to being released into the wild. files. The fact that the majority of respondents have EDR capabilities seems surprising but is likely because The antivirus (AV) protection we relied on for years vendors they rely on for antivirus have added some EDR was losing effectiveness in stopping malware. Attackers capabilities. Whether all capabilities of EDR have been evaded AV scans that would ostensibly block files from deployed and are functioning is another question. executing by merely adjusting malicious files slightly so they don’t match the AV database signatures, thus yielding infections.

TOOLS CURRENTLY IN USE

73% 72% 26%

Endpoint detection Antivirus Endpoint protection and response platform (if separate from EDR platform to the left)

6 RESEARCH REPORT

Well, that was fast SURVEY RESPONSES

While the majority call on tools like EDR to protect endpoints, we wonder: how effective is this endpoint security? How much malware is missed? If EDR relies “...not sure how on time-to-detection to identify threats, how long does it need? long it takes to detect.” We asked, and here is what we heard.

ESTIMATION OF MISSED MALWARE “...sometimes it’s only detected after it has spread.”

< 1% 41% “...system detects immediately but 1-5% 39% response...can

5-10% 17% be delayed due to escalation,

> 10% 4% especially off hours.”

LENGTH OF TIME FROM INITIAL 56% of respondents feel that their endpoint security INFECTION TO DETECTION tools miss between 1 and 10% of malware. That is a real gap to account for. 41% feel it catches nearly everything at <1%, but remember, nearly everything is not everything.

< 30 minutes 45% 59% of respondents from organizations with more than 5,000 employees feel that their endpoint security will 30 minutes 30% to 2 hours miss between 1 and 10 percent of malware, no less.

2 to 6 hours 15% How fast is fast enough? That is, how long does EDR need to detect? 45% feel that EDR will detect malware

> 6 hours 4% within 30 minutes. Another 30% feel EDR tools need between 30 minutes and two hours.

We would 7% never know On one hand, this seems rapid. Malware only has up to two hours to inflict damage. On the other, if attacks like NotPetya took down entire networks in 45 seconds, we’ll still need to figure out ways to prevent malware from spreading to backstop tools like antivirus or EDR if they need up to two hours to detect it.

7 RESEARCH REPORT

How did you get in here?

Once malware has gained a foothold, it moves laterally there is a window of vulnerability in which malware or to infect as many laptops or servers as possible. ransomware can spread. 16% of respondents go to the Endpoint security tools aren’t perfect, so how do we painstaking effort of creating a Group Policy Object backstop them to prevent propagation? (GPO) to limit lateral movement between laptops.

We usually don’t. At 64% most respondents rely on EDR With nearly 1 in 3 respondents reporting 11+ incidents per to isolate the host once malware has been detected, week, any missed detection or delay in response could which may take 30 minutes or two hours. Either way, cause rapid escalation.

NUMBER OF INCIDENTS PER WEEK PREVENT THE COMPROMISE

Quarantine/isolate host 7% 5% 64% after detecting malware 50 or more 26-50

Relying only on endpoint security to prevent 18% 19% 69% malware from propagating 11-25 0-10 to other machines

Use Windows Firewall (via Microsoft Group Policy Objects 16% to prevent propagation

Other 2%

The endpoint gap to fill

As you’ve learned in this report, organizations know Organizations are best served with modern endpoint their endpoint security will occasionally miss malware. security, whether NGAV, EDR, or both, designed to We know that malware will then often look to propagate detect and stop malware. Since no security technology since lateral movement is a key TTP. This could lead to a is 100% effective, we must fill this gap with additional data breach. endpoint security capabilities meant to stop the lateral spread of ransomware and malware for This gap in endpoint protection must be addressed. additional risk mitigation.

This brings into focus the need for additional measures This is where Zero Trust comes back into the discussion. beyond endpoint security tools like NGAV or EDR to stop Add Zero Trust, eliminate lateral movement. That’s its ransomware and malware from spreading once inside. purpose. And it’s time to bring it to the endpoint. Fortunately, the need to stop credential-based attacks is also generating considerable attention from the security Need help getting started? Learn how Illumio makes industry given their gravity. endpoint Zero Trust possible (and easy).

8 RESEARCHWHITE REPORT PAPER

About Us

Illumio enables organizations to realize a future without high-profile breaches by providing visibility, segmentation, and control of all network communications across any endpoint, data center or cloud. Founded in 2013, the world’s largest enterprises, including Morgan Stanley, BNP Paribas, Salesforce, and Oracle NetSuite, trust Illumio to reduce cyber risk. For more information, visit www.illumio.com.

Illumio, Inc. 920 De Guigne Drive, Sunnyvale, CA 94085, Tel (669) 800-5000, www.illumio.com. Copyright © 2020 Illumio, Inc. All rights reserved. This document is protected by U.S. and international copyright and intellectual property laws. Illumio’s products and services are protected by one or more U.S. and international patents listed at https://www.illumio.com/patents. Illumio® is a trademark or registered trademark of Illumio, Inc. or its affiliates in the U.S. and other countries. To review a list of Illumio’s trademarks, go to https://www.illumio.com/trademarks. Third-party trademarks mentioned in this document are the property of their respective owners.